Shalala’s Message on U.Miami Employee Medical Data Privacy Breach

This popped into the inbox:

A Message from President Shalala

April 17, 2008

To the University Community:

I wanted to let all of you know that we recently learned that a case containing computer back-up tapes with patient information and employee health benefit information was stolen from an outside storage company vehicle. The truck was on its way to an off-site storage facility. Local law enforcement is investigating the theft. Unfortunately, our employees' basic health information was on those tapes.

Shortly after learning of the incident, the University determined it would be unlikely that a thief would be able to access the back-up tapes because of the highly secured format in which they were written. Even so, we engaged the leading computer security experts in the U.S. to attempt to hack into the data from a similar back-up tape. All of their attempts over a lengthy process were unsuccessful. Based on this information, we believe misuse of the information on the tapes is unlikely.

The tapes were in a transport case that was stolen from a storage company vehicle on March 17 in downtown Coral Gables. The Coral Gables police have told us this is one of a series of vehicle thefts in the same area.

Because accessing the tapes is highly unlikely, we are not required by Florida law to disclose information about the theft, and we are confident that everyone's data is safe, we felt that it was in the best interest of our patients to be completely transparent in this matter. Also, it is the ethical thing to do.

Anyone who has been a patient of a University of Miami physician or visited a UM facility since January 1, 1999, is likely to have their basic information included on the tapes. The data on the tapes included names, addresses, Social Security numbers, or health information. The University will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.

Off-site storage is standard practice and is particularly critical in areas susceptible to severe weather. I want you to know the University's permanent records are not affected; all your information remains current, safe, and appropriately available on UM systems.

We have created a Web site to serve as the principal source of information about this incident: www.dataincident.miami.edu. As a back-up for this Web site, we have established a call center at 1-866-628-4492. If you receive any calls asking about the incident, please encourage callers to visit the Web site.

I deeply regret any concern this event may cause, and you have my assurance that everything possible is being done to make UM the safest place for our patients' health information.

There's an online FAQ with a tiny bit more info, including this teaser:

Q: Is my personal information at risk?
A: After consulting with computer security professionals, the University has determined that it is unlikely that the data on the tapes could be accessed by an unauthorized user. Attempts by a leading Miami-based computer security firm to access the information on identical tapes were unsuccessful. Therefore, we believe misuse of the information on these tapes is unlikely.

There's a phone number to call if you want more info. I called it to find out the name of the “leading Miami-based computer security firm” as I'm always interested to know about local folks who do computer security. The call center person referred me to the web site from which I got her phone number.

Update: A kindly correspondent points me to this UM press release which says a lot more about the security issue than the official web site:

the University engaged leading computer security experts at Terremark Worldwide to independently ascertain the feasibility of accessing and extracting data from a similar set of backup tapes.

“For more than a week my team devised a number of methods to extract readable data from the tapes,” said Christopher Day, senior vice president of the Secure Information Services group at Terremark. “Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data.”

Day said that his team also determined that even in the unlikely event that a thief had a copy of the same software used to write the tapes, “It would require certain key data which is not stored on the tapes before the software would make the data readable.”

Alan Brill, senior managing director at Kroll Ontrack, who was asked by the University to review the testing that had been done, said: “While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data.”

This entry was posted in U.Miami. Bookmark the permalink.

One Response to Shalala’s Message on U.Miami Employee Medical Data Privacy Breach

  1. PHB says:

    If the statute states that ‘unlikely’ is an acceptable security level rather than ‘encrypted using a strong algorithm and a key that has not been disclosed’ it is defective. I would be interested to know if this is really what the statute says.

    It does seem rather interesting that the university is charged with finding a security consultant that will tell it whether it should drop a quarter million or so sending out breach notification notices. Proprietary encryption algorithms have repeatedly proven to be insecure. It is hard to believe that a proprietary compression algorithm is more effective.

    We should also consider the incentive for the attacker. If the details are sufficient to apply for a credit card they would fetch of the order of dollars to tens of dollars per name. If the details were more comprehensive they could enable mortgage loan frauds and be worth rather more.

    I very much doubt that a proprietary compression scheme would take a specialist more than a week to break. Once the scheme is broken the knowledge can be reapplied in the future.

Comments are closed.